Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware craziness

Started by killthelights , Nov 28 2005 01:49 AM

  • Please log in to reply

#1
killthelights
Posted 28 November 2005 - 01:49 AM

killthelights

    Member

  • Member
  • PipPip
  • 35 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:41:44 AM, on 11/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\lockx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...MetaStream3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E6DE127-3281-4EF2-A11E-00CA8F06F60E}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Antispam Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
O23 - Service: Panda Imanager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe



to whom may get to me....thank you so much.
  • 0

Advertisements

#2
Wizard
Posted 28 November 2005 - 06:43 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi killthelights and Welcome to GeekstoGo!


Download WinPFind:
WinPFind

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Download and unzip BFUzip from HERE

Right Click the Zip folder and select "Extract All"

Locate and double click BFU.exe

Now locate and click the Greenish Blue globe with the chord plugged into it

When the next small window pops up-> Copy&Paste this URL into it and click OK
http://webpages.char...er/lockxbot.bfu

Confirm that URL is in the "ScriptFile to Execute" box and that lockxbot.bfu is in the BFU Folder.

Now click the "Execute" button and let the script run

Reboot into SAFE MODE(F5 or F8 when restarting)
Here is a link on how to boot into Safe Mode:
SafeMode


Run the BFU script once more while in Safe Mode to assure nothing survived.

Just click the folder beside "ScriptFile to Execute" and double click lockxbot.bfu

Now click the "Execute" button and let the script run


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> Type in MSCONFIG -> click OK.

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Restart Normal and have the PC Scanned here:
F-Secure

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with a fresh HijackThis log and the reports from WinPFind and F-Secure
  • 0

#3
killthelights
Posted 29 November 2005 - 08:18 PM

killthelights

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
ok, first off...my compute will not allow me to install ActiveX controls. i don't know why but it won't. Everything will go normal (click the bar> install ActiveX Control> Install..._) but once i click install nothing happens. This is not the first time it's done this. it will not allow me to install the activex for panda's online scan either.

but on to the good stuff...


Logfile of HijackThis v1.99.1
Scan saved at 8:11:55 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...MetaStream3.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E6DE127-3281-4EF2-A11E-00CA8F06F60E}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Antispam Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
O23 - Service: Panda Imanager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe







WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 9/3/2002 11:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
winsync 9/3/2002 12:10:48 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
PECompact2 7/6/2005 9:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 9:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/28/2005 10:54:14 PM S 2048 C:\WINDOWS\bootstat.dat
10/4/2005 12:05:48 AM H 8628 C:\WINDOWS\HELP\netcfg.GID
11/29/2005 1:40:38 AM H 1024 C:\WINDOWS\SYSTEM32\config\system.LOG
11/29/2005 1:39:16 AM H 1024 C:\WINDOWS\SYSTEM32\config\software.LOG
11/28/2005 10:57:40 PM H 1024 C:\WINDOWS\SYSTEM32\config\default.LOG
11/28/2005 10:54:18 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
11/29/2005 12:10:20 AM H 1024 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
11/28/2005 8:28:26 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
11/28/2005 8:28:26 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\99da4150-2c16-472f-91fe-dfcbb56d5c73
11/28/2005 10:54:18 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 11:40:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 12:06:36 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 9/3/2002 11:40:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 12:06:36 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/24/2005 12:38:14 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/24/2005 12:15:42 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
5/24/2005 12:38:14 AM HS 84 C:\Documents and Settings\Sir\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
5/24/2005 12:15:42 AM HS 62 C:\Documents and Settings\Sir\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sbcydsl 3.12 = sbcydsl 3.12
YComp 5.0.0.0 = Yahoo! Companion
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\Program Files\Panda Software\Panda Platinum Internet Security\pavOLE.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\Program Files\Panda Software\Panda Platinum Internet Security\pavOLE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13F537F0-AF09-11d6-9029-0002B31F9E59}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SCANINICIO "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
APVXDWIN "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
CHotkey mHotkey.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
UserFaultCheck %systemroot%\system32\dumprep 0 -u
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/29/2005 1:40:56 AM
  • 0

#4
Wizard
Posted 30 November 2005 - 05:47 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

Try the Online scan again and let me know what Happens?
  • 0

#5
killthelights
Posted 01 December 2005 - 06:14 PM

killthelights

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
when the database download window is up...i'm promted " unable to download databases! "


:tazz:
  • 0

#6
Wizard
Posted 02 December 2005 - 03:22 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,lets try another route.

Create a folder on your desktop called Sysclean.

Go to http://www.trendmicr...ownload/dcs.asp and download sysclean package to the folder you made.

Go to http://www.trendmicr...oad/pattern.asp and download the Official Pattern Release for windows to your desktop.

This file will be called lptXXX.zip (XXX represents the version number)
Unzip lptXXX.zip and you'll get the file lpt$vpn.XXX.

Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.

Turn off your antivirus which is installed on your system because it can interfere with the Sysclean-scan.

Open the sysclean-folder and doubleclick sysclean.com.
Check: Automatically clean or delete detected files.
Click scan.
When the scan is finished, select: 'view log'.
Copy and paste this log in your next reply.
  • 0

#7
killthelights
Posted 02 December 2005 - 11:58 PM

killthelights

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-12-02, 23:02:30, Auto-clean mode specified.
2005-12-02, 23:02:30, Running scanner "C:\Documents and Settings\Sir\Desktop\sysclean\TSC.BIN"...
2005-12-02, 23:03:26, Scanner "C:\Documents and Settings\Sir\Desktop\sysclean\TSC.BIN" has finished running.
2005-12-02, 23:03:26, TSC Log:

2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\system.LOG": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\software.LOG": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\default.LOG": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\SECURITY": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\SAM": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\SAM.LOG": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\SECURITY.LOG": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\SYSTEM": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\SOFTWARE": Access is denied.
2005-12-02, 23:05:22, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\config\DEFAULT": Access is denied.
2005-12-02, 23:06:09, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CatRoot2\edb.log": Access is denied.
2005-12-02, 23:06:09, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb": Access is denied.
2005-12-02, 23:06:35, An error occurred while scanning file "C:\WINDOWS\SoftwareDistribution\EventCache\{71A7AA00-9B49-495E-8966-3F67E3AEB9DD}.bin": Access is denied.
2005-12-02, 23:06:35, An error occurred while scanning file "C:\WINDOWS\SoftwareDistribution\EventCache\{AB06A17F-46CE-4C6B-AE7B-3FF8907EE8A8}.bin": Access is denied.
2005-12-02, 23:11:59, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2005-12-02, 23:11:59, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2005-12-02, 23:11:59, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-12-02, 23:11:59, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-12-02, 23:12:00, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2005-12-02, 23:12:00, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2005-12-02, 23:12:00, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-12-02, 23:12:00, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-12-02, 23:12:00, An error occurred while scanning file "C:\Documents and Settings\Sir\NTUSER.DAT": Access is denied.
2005-12-02, 23:12:00, An error occurred while scanning file "C:\Documents and Settings\Sir\ntuser.dat.LOG": Access is denied.
2005-12-02, 23:12:13, An error occurred while scanning file "C:\Documents and Settings\Sir\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-12-02, 23:12:13, An error occurred while scanning file "C:\Documents and Settings\Sir\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-12-02, 23:22:26, Running scanner "C:\Documents and Settings\Sir\Desktop\sysclean\VSCANTM.BIN"...
2005-12-02, 23:42:16, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 12/2/2005 23:22:29
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 981 (114328 Patterns) (2005/12/01) (298100)
Command Line: C:\Documents and Settings\Sir\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Sir\Desktop\sysclean

C:\Documents and Settings\Sir\msdirectx.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP155\A0017816.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP156\A0017825.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP157\A0017845.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP158\A0017861.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP158\A0017871.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP159\A0017943.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP160\A0017953.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP161\A0017965.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP162\A0017976.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP162\A0017988.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP163\A0018014.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP164\A0018025.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP165\A0018040.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP165\A0018051.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP166\A0018061.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP167\A0018071.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP167\A0018081.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP168\A0018091.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP169\A0018104.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP170\A0018115.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP171\A0018128.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP172\A0018142.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP173\A0018150.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP174\A0018165.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP175\A0018173.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP176\A0018180.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP177\A0018186.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP178\A0018200.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP178\A0018218.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP179\A0018229.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP180\A0018236.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP180\A0018246.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP181\A0018257.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP184\A0018984.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP186\A0019000.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP187\A0019007.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP200\A0020459.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP200\A0020505.exe [BKDR_SDBOT.NU]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP200\A0020506.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP205\A0020674.sys [TROJ_ROOTKIT.H]
32027 files have been read.
32027 files have been checked.
26722 files have been scanned.
63794 files have been scanned. (including files in archived)
41 files containing viruses.
Found 41 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/2/2005 23:42:14
---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-02, 23:42:16, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 12/2/2005 23:22:29
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 981 (114328 Patterns) (2005/12/01) (298100)
Command Line: C:\Documents and Settings\Sir\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Sir\Desktop\sysclean

Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\Documents and Settings\Sir\msdirectx.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP155\A0017816.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP156\A0017825.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP157\A0017845.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP158\A0017861.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP158\A0017871.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP159\A0017943.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP160\A0017953.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP161\A0017965.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP162\A0017976.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP162\A0017988.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP163\A0018014.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP164\A0018025.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP165\A0018040.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP165\A0018051.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP166\A0018061.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP167\A0018071.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP167\A0018081.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP168\A0018091.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP169\A0018104.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP170\A0018115.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP171\A0018128.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP172\A0018142.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP173\A0018150.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP174\A0018165.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP175\A0018173.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP176\A0018180.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP177\A0018186.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP178\A0018200.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP178\A0018218.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP179\A0018229.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP180\A0018236.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP180\A0018246.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP181\A0018257.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP184\A0018984.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP186\A0019000.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP187\A0019007.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP200\A0020459.sys
Success Clean [ BKDR_SDBOT.NU]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP200\A0020505.exe
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP200\A0020506.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{6672F540-6EA4-49B6-AA5E-E61201DA784C}\RP205\A0020674.sys
32027 files have been read.
32027 files have been checked.
26722 files have been scanned.
63794 files have been scanned. (including files in archived)
41 files containing viruses.
Found 41 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/2/2005 23:42:14 19 minutes 43 seconds (1182.95 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-02, 23:42:16, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 12/2/2005 23:22:29
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 981 (114328 Patterns) (2005/12/01) (298100)
Command Line: C:\Documents and Settings\Sir\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Sir\Desktop\sysclean

32027 files have been read.
32027 files have been checked.
26722 files have been scanned.
63794 files have been scanned. (including files in archived)
41 files containing viruses.
Found 41 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/2/2005 23:42:14 19 minutes 43 seconds (1182.95 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-02, 23:42:16, Scanner "C:\Documents and Settings\Sir\Desktop\sysclean\VSCANTM.BIN" has finished running.

Edited by killthelights, 03 December 2005 - 12:01 AM.

  • 0

#8
Wizard
Posted 04 December 2005 - 05:10 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
We need to search the System for that file

Copy the text below and Save it to the Desktop as Find.bat


dir \msdirectx.sys /a h /s > File.txt



Double Click Find.bat and a dos window will open,wait for the dos window to close to ensue the search is completed.

File.txt will appear on the desktop,copy&paste the contents of that text file in the next reply please.
  • 0

#9
killthelights
Posted 04 December 2005 - 07:26 PM

killthelights

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Volume in drive C is MY HD
Volume Serial Number is 07D0-0114



...

that's all.

( just a note: i uninstalled my Panda Platinum because my subscription was up. so i now have the SBC DSL virus protection. I ran a scan with that, and it found some files, so i deleted them. if you would like me to re-post a HJT log, i'd be happy to._)
  • 0

#10
Wizard
Posted 06 December 2005 - 05:43 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
If you will,go back to Post 2 and run the Online Scan that I gave the link to.

Save any results the online scan produces.


Go back to Safe Mode and Scan with WinFind once more.

Restart Normal and post a fresh HijackThis along with the results from WinPFind and the online scan.
  • 0

#11
killthelights
Posted 07 December 2005 - 04:27 PM

killthelights

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:21:31 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...MetaStream3.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E6DE127-3281-4EF2-A11E-00CA8F06F60E}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 9/3/2002 11:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
winsync 9/3/2002 12:10:48 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
PECompact2 7/6/2005 9:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 9:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/6/2005 8:34:22 PM S 2048 C:\WINDOWS\bootstat.dat
12/6/2005 9:11:12 PM H 1024 C:\WINDOWS\SYSTEM32\config\system.LOG
12/6/2005 11:15:40 PM H 1024 C:\WINDOWS\SYSTEM32\config\software.LOG
12/6/2005 8:36:40 PM H 1024 C:\WINDOWS\SYSTEM32\config\default.LOG
12/6/2005 8:34:28 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
12/6/2005 8:44:40 PM H 1024 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
11/28/2005 8:28:26 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
11/28/2005 8:28:26 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\99da4150-2c16-472f-91fe-dfcbb56d5c73
12/6/2005 8:34:30 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 11:40:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 12:06:36 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 9/3/2002 11:40:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 12:06:36 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/24/2005 12:38:14 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/24/2005 12:15:42 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
5/24/2005 12:38:14 AM HS 84 C:\Documents and Settings\Sir\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
5/24/2005 12:15:42 AM HS 62 C:\Documents and Settings\Sir\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sbcydsl 3.12 = sbcydsl 3.12
YComp 5.0.0.0 = Yahoo! Companion
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}
SidebarAutoLaunch Class = C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = SBC Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CHotkey mHotkey.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
UserFaultCheck %systemroot%\system32\dumprep 0 -u
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
YBrowser C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
CaAvTray "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
CAVRID "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
YOP C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/6/2005 11:16:22 PM



and the results are.... :tazz:
  • 0

#12
Wizard
Posted 10 December 2005 - 05:24 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry for all the delays,work has been crazy this week.


Update me,can you get the Online Scan to run?

How is th PC acting now,any better?
  • 0

#13
killthelights
Posted 10 December 2005 - 08:43 PM

killthelights

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
computer is working quite well.

i was able to run the online scan.

nothing came up.


and i'm not going to complain one bit about the delays.

you do these things for free, and i cannot complain.

i thank you sooo much.
  • 0

#14
Wizard
Posted 11 December 2005 - 05:51 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Good Deal! :)

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore


Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :tazz:
  • 0

#15
killthelights
Posted 17 December 2005 - 12:30 AM

killthelights

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Sorry it took me so long to post this, but...

Thank you so much.

this is the best website i've ever been to.

you guys ( and gals_) are amazing.

thanks again.

:tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP